[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS not working with 2.0.14

To: openldap-software@OpenLDAP.org
Subject: RE: TLS not working with 2.0.14
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Wed, 10 Dec 2003 07:13:01 +0100
In-reply-to: <FGEOKFCBPCPJCGKFOKMFAEIECAAA.patrick@mutualaid.org>
Organization: Billy
References: <FGEOKFCBPCPJCGKFOKMFAEIECAAA.patrick@mutualaid.org>

ons, 10.12.2003 kl. 03.18 skrev Patrick Cranston:

> I'm having difficulty configuring TLS for LDAP.  I've followed the
> instructions in this thread:
> http://www.openldap.org/lists/openldap-software/200109/msg00745.html
> for generating a self signed certificate, with the Common Name set as the
> fully qualified domain name of my machine, and the -d127 debug output is
> showing that the CA is unknown.  Can anyone offer any suggestions?

Far too little info. At a guess, you aren't pointing ldapsearch to the
CA cert. in [/etc/openldap/|/usr/local/etc]/openldap.conf - 'man
ldap.conf'. The path should be readable by everyone. Openldap has no
problems with self-signed certificates, as long as they are made
available both to the server and the client.

Try: openssl s_client -connect fqdn-name-of-host:636 (presuming DNS or
/etc/hosts is set up correctly) and look for the error number at the top
of the output. Should be 18 or 19.

> ldapsearch -d127 -H ldaps://xxx.xxxx.org -x -b ... -L -ZZ
> 
> returns:

No it doesn't :) You'll get an immediate error if you do -ZZ to ldaps:
TLS already started, or suchlike.

--Tonni

-- 
mail: billy - at - billy.demon.nl
http://billy.demon.nl

References:
- RE: TLS not working with 2.0.14
  - From: "Patrick Cranston" <patrick@mutualaid.org>

Prev by Date: RE: TLS not working with 2.0.14
Next by Date: Search by user objectSid (binary attribute) from windows Active Directory with OpenLDAP API
Index(es):
- Chronological
- Thread